Thank you for downloading the Zowe binary

If you had an issue or your download did not start, please click here to try again.

How to verify binaries with digital signatures

All Zowe binaries are signed using Sigstore, an OpenSSF project.

Pre-Requisites

Make sure the Cosign CLI is installed. Follow these installation instructions.

Download the Verification Bundle

Online Verification

This verification method is the preferred option for digital signature validation, and requires an internet connection with access to the public sigstore infrastructure to work (*.sigstore.dev). Ensure that the the artifact you downloaded and its respective signing bundle you acquired from the pre-requisite step are in the same directory. Navigate to that directory with your terminal, and issue the following command:

cosign verify-blob ./artifact-you-downloaded --bundle ./bundle-you-downloaded 
                    --certificate-identity=https://github.com/zowe/zowe-install-packaging/.github/workflows/build-packaging.yml@refs/heads/v3.x/master 
                    --certificate-oidc-issuer=https://token.actions.githubusercontent.com

If the verification succeeded, you will see:
Verified OK

If the veritication failed, you will see:
Error: error verifying bundle: matching bundle to payload: ....more output

Offline Verification

This verification method is >>not<< the preferred option for digital signature validation, as the signature is not compared against the public transparency log. This method is useful mostly for artifact hash validation. Ensure that the the artifact you downloaded and its respective signing bundle you acquired from the pre-requisite step are in the same directory. Navigate to that directory with your terminal, and issue the following command:

cosign verify-blob ./artifact-you-downloaded --bundle ./bundle-you-downloaded --offline=true 
                    --certificate-identity=https://github.com/zowe/zowe-install-packaging/.github/workflows/build-packaging.yml@refs/heads/v3.x/master 
                    --certificate-oidc-issuer=https://token.actions.githubusercontent.com

If the verification succeeded, you will see:
Verified OK

If the veritication failed, you will see:
Error: error verifying bundle: matching bundle to payload: ....more output

How to download Zowe SBOMs (Software Bill of Materials)

Downloading the SBOM

Choose one of the following SBOM options:

(Optional) Verifying SBOM Integrity

All Zowe SBOMs are signed using Sigstore, an OpenSSF project.

Choose the cosign bundle which matches the download option you chose above

See the How to verify binaries with digital signatures to acquire the pre-requisite software, and for a description of online vs offline verficiation. Once you've reviewed that information, you can use the one of the below commands to digitally verify the SBOM. Each command assumes your SBOM and its respective signing bundle are in the same directory, and you have navigate your terminal there.

Online Verification

Offline Verification